On Di, 05.04.22 17:38, Chris Murphy (lists(a)colorremedies.com) wrote:
Let me stress one thing though: Fedora *has* *no* working SecureBoot implementation. The initrd is not authenticated. It has no signatures, nothing.
By disabling SecureBoot you effectively lose exactly nothing in terms of security right now.
What good is a trusted boot loader or kernel if it then goes on loading an initrd that is not authenticated, super easy to modify (I mean, seriously, any idiot script kiddie can unpack a cpio, add some shell script and pack it up again, replacing the original one) – and it's the component that actually reads your FDE LUKS password.
I mean, let's not pretend unsigned drivers were a big issue for security right now. They are now, we have much much much wider gaping holes in our stack.
Lennart
-- Lennart Poettering, Berlin
To achieve such feature(SecureBoot signer Unified Images) I've had to make some hack'ish scripts to run dracut a second time glueing all together and signing it, after generating the initrd inside /boot:
- https://nwildner.com/posts/2021-04-10-secureboot-fedora/
Not proud of it, but it works(and I have cmdline + initrd + kernel + modules all signed as a bundle).
This could be the spark of a package idea for Unified images
nwildner